Translate

четвъртък, 21 септември 2017 г.


ПЕРСОНАЛНИ КУРСОВЕ ЗА ОБУЧЕНИЕ
ПО ИЗГРАЖДАНЕ НА СИСТЕМИ ЗА УПРАВЛЕНИЕ,
В СЪОТВЕТСТВИЕ С ИЗИСКВАНИЯТА НА:

1. Регламент (ЕС) 2016 / 679 - Защита на личнит данни;
2. ISO 27001 / ISO 27002 / ISO 27032 – Информационна / кибер сигурност;
3. ISO 20000-1 – ИТ услуги;
4. ISO 14001 – Околна среда

Всички описани в следващата таблица персонални курсове се провеждат дистанционно, съгласно предварително съгласувана с обучаемия индивидуална програма, отчитаща неговите конкретни потребности, вкл. текущите му знания и опит в съответната област. Курсовете са „въвеждащ” и „основен”. Всички „въвеждащи” курсове са безплатни.  „Основните” курсове са платени, като цената се договаря отделно с всеки конкретен обучаем и зависи от обхвата, и детайлността на неговата индивидуална програма за обучение.

НАИМЕНОВАНИЕ НА КУРСА
ОСНОВНИ СТАНДАРТИ ЗА СЪОТВЕТСТВИЕ
1
Изграждане на Система за управление на защитата на личните данни
(НОВ КУРС !)

РЕГЛАМЕНТ (ЕС) 2016/679
2
Изграждане на Система за управление на информационната /кибер сигурност
ISO 27001
ISO 27002
ISO 27032
3
Изграждане на Система за управление на услугите
ISO 20000-1
ISO 20000-2
4
Изграждане на Система за управление на околната среда
ISO 14001

За въпроси и допълнителна информация:

Пламен Каменов

+359 886 655 315

сряда, 20 септември 2017 г.


РЕГЛАМЕНТ (ЕС) 2016/679 и ISO 27001

ОБУЧЕНИЕ И КОНСУЛТАЦИИ ПО ИЗГРАЖДАНЕ НА

Система за управление на защитата на личните данни,
в съответствие с изискванията на РЕГЛАМЕНТ (ЕС) 2016/679

Обхвата на предлаганите обучение и консултации са специфични за различните организации и се определят основно от следващите два фактора:
1. Наличие на регистрация на  организацията,  като Администратор на лични данни по ЗЗЛД;
2. Наличие на изградена, функционираща и сертифицирана Система за управление на информационната сигурност (ISO 27001);
При всички случаи обучението и консултациите включват:
1. Преглед на изискванията на РЕГЛАМЕНТ (ЕС) 2016/679 ;
2. Преглед на основни дейности, които трябва да се свършат от организацията при изграждането на Система за управление на защитата на личните данни;
3. Подход за избор на контролни / защитни механизми, изискващи се за изпълнение на изискванията на РЕГЛАМЕНТ (ЕС) 2016/679
4. Подход за изграждане на Система за управление на защитата на личните данни
- като подсистема на Система за управление на информационната сигурност (ISO 27001);
- като самостоятелна система за сигурност.
5. Преглед на основните изисквания към Служителя по защитата на личните данни. 
6. Разработване на изискващите от Регламента документи,свързани със защитата на личните данни.

За въпроси и допълнителна информация:
Пламен Каменов
0886 655 315

Забележка:
В следващата таблица са представени в обобщен вид изискванията в Регламент(ЕС) 2016/679 за зашита на личните данни и възможни контролни механизми (определени в ISO 27001) за тяхното изпълнение.




Изискване по Регламент 2016 / 679
№ на клауза

Изпълнение на изискването с внедряването на контрол, съгласно ISO 27001 / 27002

ОБХВАТ

1
Article 3 (territorial scope) and 27 (representatives)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
2
Article 4, section 1, subsection 1 (personal data)

A.8.2.1 (classification of information)

ОБРАБОТКА  НА  ЛИЧНИТЕ ДАННИ

1
Article 6 (common personal data) and 9 (sensitive data)

A.8.2.1 (classification of information)
2
Article 4, section 1, subsection 2 (processing)

A.8.1.3 (acceptable use of assets)
3
Article 4, section 1, subsection 7 (controller)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
4
Article 4, section 1, subsection 8 (processor)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
5
Article 6 (common person data - lawfulness of processing), 9 (sensitive data), 85 (processing and freedom of expression and information (journalistic, academic, artistic and literary purpose)), 86 (public access to official documents), 87 (national
identification number), 88 (employment) 89 (public interest, scientific, historical and statistical purposes) and 90 (secrecy)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
6
Article 4, section 1, subsection 16 (main establishment), 60 (cooperation between supervisory authorities, one-stop-shop and the consistency mechanism) and 55 (competence of
the supervisory authority)

A.6.1.3 (contact with authorities)

ПРИНЦИПИ

1
Article 5 (principles)

A.8.2.3 (handling of assets)
2
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6, section 1, subsection a (consent) and Article 7 (consent), 8 (consent for children) and article 9, section 2, subsection a (consent)

A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
A.12.1.1 (documented operating procedures)
3
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6, section 1, subsection f (legitimate interests)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
A.12.1.1 (documented operating procedures)
4
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6, section 1, subsection b (contract) or subsection c (legal obligation)

A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
5
Article 5, section 1, subsection a (lawful, fair and
transparent) and Article 6 (Lawfulness of processing), 9 (sensitive information), 85 (processing and freedom of expression and information (journalistic, academic, artistic and literary purpose)), 86 (public access to official documents), 87 (national identification number), 88 (employment law), 89 (public interest, scientific, historical and statistical purpose) and 90 (secrecy)

A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
A.12.1.1 (documented operating procedures)
6
Article 5, section 1, subsection a (lawful, fair and
transparent)

A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
7
Article 5, section 1, subsection b (purpose limitation)

A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
8
Article 5, section 1, subsection c (data minimisation)

A.18.1.4 (l) (compliance with Privacy and protection
of personally identifiable information)
A.12.1.1 (documented operating procedures)
9
Article 5, section 1, subsection d (accuracy) (see also Article 16-21)

A.12.1.1 (documented operating procedures)
10
Article 5, section 1, subsection d (accuracy) (see also Article 16-21)

A.12.1.1 (documented operating procedures)
11
Article 5, section 1, subsection e (storage limitation)

A.12.1.1 (documented operating procedures)
12
Article 5, section 1, subsection f (integrity and confidentiality) (see also article 32)

A.5.1.1 (policies for information security)
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements analysis and specification)
A.14.2.5 (secure system engineering principles)

ПРАВА НА ОБЕКТИТЕ НА ЛИЧНИТЕ ДАННИ

1
Article 12, section 2 (transparency)

A.12.1.1 (documented operating procedures)
2
Article 12, section 3 (transparency)

A.12.1.1 (documented operating
procedures)
3
Article 13, section 1 and 2 (information to be provided when personal data is collected from the data subjects), Article 14, section 1 and 2 (information to be provided when personal data
is not obtained from the data subject)
Article 15, section 1 (Right of access by the data subject)

A.12.1.1 (documented operating procedures)
A.6.1.1 (information security roles and responsibilities)
A.18.1.4 (l) (compliance with privacy and protection of personal identifiable information)
A.8.2.1 (classification of information)
A.13.2.1 (information transfer policies and procedures)
4
Article 16 (rectification), Article 17 (Right to erasure) and Article 18 (Right to restriction of processing)

A.12.1.1 (documented operating procedures)
5
Article 19 (Notification obligation)

A.12.1.1 (documented operating
procedures)
6
Article 20 (data portability)

A.12.1.1 (documented operating procedures)
7
Article 21 (Right to object)

A.12.1.1 (documented operating
procedures)
A.18.1.4 (l) (compliance with the privacy and protection of personal data)
8
Article 22 (profiling)

A.12.1.1 (documented operating procedures)
A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)

ЗАДЪЛЖЕНИЯ НА ОРГАНИЗАЦИЯТА

1
Article 24, section 1 (responsibility of the controller)

A.5.1.1 (policies for information security)
A.5.1.2 (review of the policies for information security)
A.18.2.2 (compliance with security policies and standards)
2
Article 24, section 2 (responsibility of the controller)

A.5.1.1 (policies for information security)
A.5.1.2 (review of the policies for information security)
3
Article 25, section 1 (data protection by design and by default) and section 2 (data protection by design
and by default)

A.5.1.1 (policies for information security)
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
4
Preamble 78 (data protection by design in tendering procedure)

A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.13.2.2 (agreements on information transfer)
5
Article 28, section 1 (processor)

A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.13.2.1 (information transfer policies and procedures)
A.13.2.2 (agreements on information transfer)

6
Article 28, section 2 (processor)

A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.13.2.1 (information transfer policies and procedures)
A.13.2.2 (agreements on information transfer)

7
Article 28, section 3 (processor)

A.9.2.2 (user access provisioning)
A.9.4.1 (information access restriction)
A.12.1.1 (documented operating procedures)
A.13.2.2 (agreements on information transfer)
A.15.1.1 (information security policy for supplier relationships)
A.15.1.2 (addressing security with supplier agreements)
A.16.1.3 (reporting information security weaknesses)

8
Article 30, section 1 (records of processing activities)

A.12.1.1 (documented operating procedures)
9
Article 30, section 2 (records of processing activities)

A.12.1.1 (documented operating procedures)
10
Article 32, section 1 and section 2 (security of processing)

A.5.1.1 (policies for information security)
A.6.1.5 (information security in project management)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
11
Article 32, section 1, subsection a (security of processing)

A.10.1.1 (policy on the use of cryptographic controls)
A.9.4.1 (information access restriction)
12
Article 32, section 1, subsection b (security of processing)

A.5.1.1 (policies for information security)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
13
Article 32, section 1, subsection c (security of processing)

A.12.3.1 (information backup)
A.17.1.1 (planning information security continuity)
A.17.1.2 (implementing information security continuity)
14
Article 32, section 1, subsection d (security of processing)

A.14.2.8 (system security testing)
A.14.2.9 (system acceptance testing)
A.12.7.1 (information systems audit controls)
A.15.2.1 (monitoring and review of supplier services)
A.18.2 ( information security reviews)
15
Article 32, section 4 (security of processing)

A.5.1.1 (policies for information security)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)
16
Article 33, section 1 and section 3 (notification of security incidents to the supervisory authority)

A.16.1.1 (responsibilities and procedures)
A.16.1.5 (response to information security incidents)
A.6.1.3 (contact with authorities)
17
Article 33, section 5 (notification of security incidents to the supervisory authorities)

A.16.1.7 (collection of evidence)
A.12.4 (logging and monitoring)
18
Article 33, section 2 (notification of security incidents to the supervisory authorities)

A.16.1.3 (reporting information security weaknesses)
19
Article 34 (data breach is to be communicated to data subjects)

A.16.1.5 (response to information security incidents)
20
Article 35, section 1 (data protection impact assessment)

A.6.1.5 (information security in project management)
A.14.1.1 (security requirements of information systems)
A.14.2.5 (secure system engineering principles)

21
Article 36, section 1 (prior consultation)

A.6.1.3 (contact and regulatory authorities)
22
Article 37 (designation of the data protection officer)

A.6.1.1 (information security roles and responsibilities)

СПЕЦИАЛНИ СЛУЧАИ

1
Article 44 (general principle for transfers)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
2
Article 44 (general principle for transfers)

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
3
Article 46 (transfer)

A.15.1.2 (addressing security with supplier agreements)
4
Article 46 and article 47 (transfers)

A.15.2.1 (monitoring and review of supplier services)
5
Many articles in the Regulation allows for national interpretation/ implementation

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)
6
Many articles in the Regulation make it possible for national interpretation / implementation.

A.18.1.4 (l) (compliance with Privacy and protection of personally identifiable information)